CIOReview
Sign In

Subscribe to our Weekly Newsletter to get latest updates to your inbox
| | November - 20178CIOReviewINFORMATION SECURITY: YOUR PEOPLE, YOUR FIRST LINE OF DEFENSEAcompany can put together as many technology solutions or policies as it likes, but, in the end, its people are the most important element in information security. If the employees in your organization don't feel personally invested in improving your organization's security, your defenses will always be lacking.Firms that inspire in their employees a security mindset and personal sense of responsibility for keeping the business secure are definitely on the right track. According to research by Ponemon Institute, the average total cost of a data breach is more than US $3.6 million, and one in four organizations can expect to experience a breach. Also, cybersecurity breaches are only getting larger in terms of the number of files and accounts--and people--affected.Your business may need to experiment a bit before discovering the secret recipe for turning your team members into information security advocates, but the effort is well worth it. At Robert Half, we're taking steps to motivate our global employee base to view information security as a priority. We're continually looking for new ways to engage our staff, so they want to get involved in helping the business adopt and apply best practices.To turn your workforce into a team of information security advocates, you need to make security personal to them. This means helping them understand that lax security practices don't just impact the mat work, they also hit the mat home.One strategy we use to do this in our organization is our "Data Defenders" program. It gamifies security, and is designed to help employees feel more personally invested in protecting our company and its data and systems. Here are a few things we've learned so far from our work on this initiative that you might find useful as you create your own programs:1. Build your Security Messages into your CultureOur campaign focuses on educating people using every communication channel in our company--newsletters, posters, intranet sites, town-hall meetings, videos, annual trainings, and more. A multipronged approach to communication helps ensure we reach every employee in the format that speaks personally to them. They need to plainly see that the program you're promoting isn't just a mandate from IT or compliance, but a company wide effort supported by business leadership. When professionals observe their leaders and coworkers all striving toward a common goal, they often want to join in. And today, with so much news about data breaches in the spotlight, they can easily see the relevance and value in shoring up security efforts. 2. Forget a `One-Size-Fits-All' ApproachGeneric education about security doesn't work. You need to tailor it, personalize it. That's why we're now experimenting with "personas" that represent different types of people in our company. The personas tie back to how people work, and what their roles are. We've identified the security risks for each persona--for example, the kinds of phishing an employee in accounting might encounter--and what people who fit those personas can do to help protect the company.We're just starting to introduce personas as part of our annual security awareness training. But we think they're going to go a long way toward helping our employees make a strong connection between security risks and their day-to-day work experience.By Eddie Borrero, CISO, Robert Half [NYSE:RHI]IN MY OPINIONEddie Borrero
< Page 7 | Page 9 >